Exemplo n.º 1
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to limit access to certain client addresses or networks.
// Multiple ranges can specified using commas as separator
// e.g. `18.0.0.0/8,56.0.0.0/8`
func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) (*SourceRange, error) {
	sort.Strings(cfg.WhitelistSourceRange)
	if ing.GetAnnotations() == nil {
		return &SourceRange{CIDR: cfg.WhitelistSourceRange}, parser.ErrMissingAnnotations
	}

	val, err := parser.GetStringAnnotation(whitelist, ing)
	if err != nil {
		return &SourceRange{CIDR: cfg.WhitelistSourceRange}, err
	}

	values := strings.Split(val, ",")
	ipnets, err := sets.ParseIPNets(values...)
	if err != nil {
		return &SourceRange{CIDR: cfg.WhitelistSourceRange}, ErrInvalidCIDR
	}

	cidrs := []string{}
	for k := range ipnets {
		cidrs = append(cidrs, k)
	}

	sort.Strings(cidrs)

	return &SourceRange{cidrs}, nil
}
Exemplo n.º 2
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to configure upstream check parameters
func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) *Configuration {
	if ing == nil || ing.GetAnnotations() == nil {
		return &Configuration{
			cfg.ProxyConnectTimeout,
			cfg.ProxySendTimeout,
			cfg.ProxyReadTimeout,
			cfg.ProxyBufferSize,
		}
	}

	ct, err := parser.GetIntAnnotation(connect, ing)
	if err != nil {
		ct = cfg.ProxyConnectTimeout
	}

	st, err := parser.GetIntAnnotation(send, ing)
	if err != nil {
		st = cfg.ProxySendTimeout
	}

	rt, err := parser.GetIntAnnotation(read, ing)
	if err != nil {
		rt = cfg.ProxyReadTimeout
	}

	bs, err := parser.GetStringAnnotation(bufferSize, ing)
	if err != nil || bs == "" {
		bs = cfg.ProxyBufferSize
	}

	return &Configuration{ct, st, rt, bs}
}
Exemplo n.º 3
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to use an external URL as source for authentication
func ParseAnnotations(ing *extensions.Ingress) (External, error) {
	if ing.GetAnnotations() == nil {
		return External{}, parser.ErrMissingAnnotations
	}

	str, err := parser.GetStringAnnotation(authURL, ing)
	if err != nil {
		return External{}, err
	}
	if str == "" {
		return External{}, fmt.Errorf("an empty string is not a valid URL")
	}

	ur, err := url.Parse(str)
	if err != nil {
		return External{}, err
	}
	if ur.Scheme == "" {
		return External{}, fmt.Errorf("url scheme is empty")
	}
	if ur.Host == "" {
		return External{}, fmt.Errorf("url host is empty")
	}

	if strings.Contains(ur.Host, "..") {
		return External{}, fmt.Errorf("invalid url host")
	}

	m, _ := parser.GetStringAnnotation(authMethod, ing)
	if len(m) != 0 && !validMethod(m) {
		return External{}, fmt.Errorf("invalid HTTP method")
	}

	sb, _ := parser.GetBoolAnnotation(authBody, ing)

	return External{
		URL:      str,
		Method:   m,
		SendBody: sb,
	}, nil
}
Exemplo n.º 4
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to add authentication in the paths defined in the rule
// and generated an htpasswd compatible file to be used as source
// during the authentication process
func ParseAnnotations(ing *extensions.Ingress, authDir string, fn func(string) (*api.Secret, error)) (*BasicDigest, error) {
	if ing.GetAnnotations() == nil {
		return &BasicDigest{}, parser.ErrMissingAnnotations
	}

	at, err := parser.GetStringAnnotation(authType, ing)
	if err != nil {
		return &BasicDigest{}, err
	}

	if !authTypeRegex.MatchString(at) {
		return &BasicDigest{}, ErrInvalidAuthType
	}

	s, err := parser.GetStringAnnotation(authSecret, ing)
	if err != nil {
		return &BasicDigest{}, err
	}

	secret, err := fn(fmt.Sprintf("%v/%v", ing.Namespace, s))
	if err != nil {
		return &BasicDigest{}, err
	}

	realm, _ := parser.GetStringAnnotation(authRealm, ing)

	passFile := fmt.Sprintf("%v/%v-%v.passwd", authDir, ing.GetNamespace(), ing.GetName())
	err = dumpSecret(passFile, secret)
	if err != nil {
		return &BasicDigest{}, err
	}

	return &BasicDigest{
		Type:    at,
		Realm:   realm,
		File:    passFile,
		Secured: true,
	}, nil
}
Exemplo n.º 5
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to rewrite the defined paths
func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) (*Redirect, error) {
	if ing.GetAnnotations() == nil {
		return &Redirect{}, errors.New("no annotations present")
	}

	sslRe, err := parser.GetBoolAnnotation(sslRedirect, ing)
	if err != nil {
		sslRe = cfg.SSLRedirect
	}

	rt, _ := parser.GetStringAnnotation(rewriteTo, ing)
	abu, _ := parser.GetBoolAnnotation(addBaseURL, ing)
	return &Redirect{
		Target:      rt,
		AddBaseURL:  abu,
		SSLRedirect: sslRe,
	}, nil
}
Exemplo n.º 6
0
// secrReferenced checks if a secret is referenced or not by one or more Ingress rules
func (ic *GenericController) secrReferenced(name, namespace string) bool {
	for _, ingIf := range ic.ingLister.Store.List() {
		ing := ingIf.(*extensions.Ingress)
		str, err := parser.GetStringAnnotation("ingress.kubernetes.io/auth-tls-secret", ing)
		if err == nil && str == fmt.Sprintf("%v/%v", namespace, name) {
			return true
		}
		if ing.Namespace != namespace {
			continue
		}
		for _, tls := range ing.Spec.TLS {
			if tls.SecretName == name {
				return true
			}
		}
	}
	return false
}
Exemplo n.º 7
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to use an external URL as source for authentication
func ParseAnnotations(ing *extensions.Ingress,
	fn func(secret string) (*SSLCert, error)) (*SSLCert, error) {
	if ing.GetAnnotations() == nil {
		return &SSLCert{}, parser.ErrMissingAnnotations
	}

	str, err := parser.GetStringAnnotation(authTLSSecret, ing)
	if err != nil {
		return &SSLCert{}, err
	}

	if str == "" {
		return &SSLCert{}, fmt.Errorf("an empty string is not a valid secret name")
	}

	_, _, err = k8s.ParseNameNS(str)
	if err != nil {
		return &SSLCert{}, err
	}

	return fn(str)
}